Impact of Active Directory policies on Packaging Process
Hi ,
Quick Question :
Can someone explain the Impact of Active directory security policies on Packaging process .
Do we need to consider the role of Active directory during Packaging activity .
Kindly suggest any good articles on the same .
Cheers ,
V
Quick Question :
Can someone explain the Impact of Active directory security policies on Packaging process .
Do we need to consider the role of Active directory during Packaging activity .
Kindly suggest any good articles on the same .
Cheers ,
V
0 Comments
[ + ] Show comments
Answers (7)
Please log in to answer
Posted by:
Bladerun
18 years ago
The only thing to really consider is how you want to setup the policy for your installs.
If you set up the installs on a per computer basis, no user specific settings will be installed (ie HKCU, profile specific files, etc.). Instead they will be applied to the all user profile.
If you set up the installs per user, then your user specific settings are installed.
So if you plan on installing all apps per computer, so that applications are available to anyone that logs onto a certain machine, then some tweaking to your MSI's will be necessary. (There's a number of good posts on this site regarding installing MSI's per computer, then using the self-healing property to set userspecific setings.)
If you plan on installing all apps per user, so that applications will be installed on any machine a user logs in to, then no modification is usually necessary.
If you set up the installs on a per computer basis, no user specific settings will be installed (ie HKCU, profile specific files, etc.). Instead they will be applied to the all user profile.
If you set up the installs per user, then your user specific settings are installed.
So if you plan on installing all apps per computer, so that applications are available to anyone that logs onto a certain machine, then some tweaking to your MSI's will be necessary. (There's a number of good posts on this site regarding installing MSI's per computer, then using the self-healing property to set userspecific setings.)
If you plan on installing all apps per user, so that applications will be installed on any machine a user logs in to, then no modification is usually necessary.
Posted by:
Thaiboxer
18 years ago
I don't think AD has much impact on packaging an app. It may change how you want to deliver the application, but probably not packaging.
Posted by:
viv_bhatt1
18 years ago
Thanks for reply .
Yes we are installing all applications per machine .
Few more questions with regards to the topic of discussion :
1) What about packaging applications which install unsigned drivers ?
Which one of following is a better option :
1) Try repackaging the unsigned driver
2) Changing GPO settings for allowing unsigned drivers
2) Are there any cases experienced when repackaged MSI works without AD but gives unexpected results when installed using AD + GPO ?
Cheers ,
V
Yes we are installing all applications per machine .
Few more questions with regards to the topic of discussion :
1) What about packaging applications which install unsigned drivers ?
Which one of following is a better option :
1) Try repackaging the unsigned driver
2) Changing GPO settings for allowing unsigned drivers
2) Are there any cases experienced when repackaged MSI works without AD but gives unexpected results when installed using AD + GPO ?
Cheers ,
V
Posted by:
Bladerun
18 years ago
I recently had a problem with a piece of software produced by AMBest. It installed fine when run normally, yet when I tried to create a package in policy for it, it wouldn't import it.
I ran a validation on it and found ICE errors all over the place. With much help from the good people here I was able to fix all the issues & eliminate all the ICE errors, and I could then create the policy without issue.
I ran a validation on it and found ICE errors all over the place. With much help from the good people here I was able to fix all the issues & eliminate all the ICE errors, and I could then create the policy without issue.
Posted by:
viv_bhatt1
18 years ago
HI ,
Thanks could you please elaborate more on the type of error (cause mainly) and may be the resolution for it .
I am doing an Impact analysis for my current project . I want to understand if I can use this as yet another concern .
Really appreciate your suggestions .
Cheers ,
V
Thanks could you please elaborate more on the type of error (cause mainly) and may be the resolution for it .
I am doing an Impact analysis for my current project . I want to understand if I can use this as yet another concern .
Really appreciate your suggestions .
Cheers ,
V
Posted by:
plangton
18 years ago
Viv,
For group policies, there are certain settings that affect how packages deploy. have a look at:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/92827.asp
And you'll see they are:
AllowLockdownBrowse
Enables the Browse button on the Use feature from dialog box, even when an installation is running with system permissions.
AllowLockdownMedia
Allows users to install programs from removable media, such as floppy disks and CD-ROMs, during installations running with system permissions. Installations offered on the desktop or displayed in Add/Remove Programs run with system permissions.
AllowLockdownPatch
Permits all users to install patches, even when an installation program is running with elevated system permissions.
AlwaysInstallElevated
Directs Windows Installer to use system permissions when it installs a program. By default, Windows Installer uses the user's permissions to install programs.
DisableBrowse
Disables the Browse button beside the Use feature from list in the Windows Installer dialog box. By default, the Browse button is disabled only when users who are not administrators are using system permissions to install a program.
DisableMSI
Disables or restricts the use of Windows Installer. This entry can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator.
DisablePatch
Prevents users from using Windows Installer to install patches.
DisableRollback
Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
EnableAdminTSRemote
Allows Terminal Services administrators to install and configure programs remotely.
EnableUserControl
Permits users to change installation options that typically are available only to system administrators.
Logging
Specifies the types of events that Windows Installer records in its transaction log. The log, Msi.log, appears in the Temp directory of the system volume.
SafeForScripting
Allows Web-based programs to install software on the computer without notifying the user.
TransformsSecure
Saves copies of transform files in a secure location on the local computer, instead of in the user's profile.
Hope that helps
Paul
For group policies, there are certain settings that affect how packages deploy. have a look at:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/92827.asp
And you'll see they are:
AllowLockdownBrowse
Enables the Browse button on the Use feature from dialog box, even when an installation is running with system permissions.
AllowLockdownMedia
Allows users to install programs from removable media, such as floppy disks and CD-ROMs, during installations running with system permissions. Installations offered on the desktop or displayed in Add/Remove Programs run with system permissions.
AllowLockdownPatch
Permits all users to install patches, even when an installation program is running with elevated system permissions.
AlwaysInstallElevated
Directs Windows Installer to use system permissions when it installs a program. By default, Windows Installer uses the user's permissions to install programs.
DisableBrowse
Disables the Browse button beside the Use feature from list in the Windows Installer dialog box. By default, the Browse button is disabled only when users who are not administrators are using system permissions to install a program.
DisableMSI
Disables or restricts the use of Windows Installer. This entry can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator.
DisablePatch
Prevents users from using Windows Installer to install patches.
DisableRollback
Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
EnableAdminTSRemote
Allows Terminal Services administrators to install and configure programs remotely.
EnableUserControl
Permits users to change installation options that typically are available only to system administrators.
Logging
Specifies the types of events that Windows Installer records in its transaction log. The log, Msi.log, appears in the Temp directory of the system volume.
SafeForScripting
Allows Web-based programs to install software on the computer without notifying the user.
TransformsSecure
Saves copies of transform files in a secure location on the local computer, instead of in the user's profile.
Hope that helps
Paul
Posted by:
viv_bhatt1
18 years ago
Thanks Paul ,
Really appreciate your help .
This has given me a good start .
I have found out that sometimes GPO settings have to be changed inorder to be ableto install applications which install unsigned device drivers .
I still haven't got a definite way to avoid this .
Cheers,
V
Really appreciate your help .
This has given me a good start .
I have found out that sometimes GPO settings have to be changed inorder to be ableto install applications which install unsigned device drivers .
I still haven't got a definite way to avoid this .
Cheers,
V
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.